Chapter 11 Security on the Internet According to the traditional definition, network security comprises integrity, confidentiality, and availability. Message integrity ensures that if an unauthorized party modifies a message between the sender and the receiver, the receiver is able to detect this modification. In addition to message integrity, integrity mechanisms always provide some type of proof of data origin. Knowing that a message has not been modified without knowing who initially created the message would be useless. Confidentiality mechanisms keep unauthorized parties from gaining access to the contents of a message. Confidentiality is typically achieved through encryption. Denial of Service (DoS) attacks compr omise the system’s availability by keeping authorized users from accessing a particular service. The m ost common DoS attacks consist of keeping the servers busy performing an operation or sending the servers more traffic than they can handle. SIP provides several security mechanisms to address integrity, confidentiality, and availability. Some of the security mechanisms come from the world of the web, some come from the world of email, and some of them are SIP-specific. We analyze these mechanisms in the following sections and describe how they relate to the three security properties just described. 11.1 HTTP Digest Access Authentication The first problem a SIP server faces is authenticating users who are requesting services. SIP has inherited an authentication mechanism from HTTP called HTTP Digest Access Authentication (specified in RFC 2617 [145]). In the SIP context the server authenticating the user (i.e., the caller) can be a proxy, a registrar, a redirect server, or a user agent (the callee’s user agent). The WWW-Authenticate and Authorization header fields are used with registrars, redirect servers, and user agents, and the Proxy-Authenticate and Proxy-Authorization header fields are used with proxies. When using HTTP Digest Access Athentication the client and the server have a shared secret (e.g., a password), which is exchanged using an out-of-band mechanism. When a server at a given domain receives a request from a client the server challenges the client to provide valid credentials for that domain. At that point the client provides the server with a username and proves that the client knows the shared secret. ´ıa- M ar t´ın The 3G IP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds Third Edition Gonzalo Camarillo and Miguel A. Garc © 2008 John Wiley & Sons, Ltd. ISBN: 978- 0- 470- 51662- 1 278 CHAPTER 11. SECURITY ON THE INTERNET An obvious way for the client to prove that it knows the shared secret would be to send it to the server in clear text (i.e., without any encryption). In fact, this is what HTTP basic access authentication (also specified in RFC 2617 [145]) does. Nevertheless, the security risks created by sending passwords in clear text are obvious. Any attacker that manages to gain access to the message carrying the shared secret gains access to the shared secret itself. Previous SIP specifications allowed the use of basic authentication, but it has now been deprecated for some time. The u se of HTTP Digest Access Authentication is currently recommended instead. Clients using digest can prove that they know the shared secret without sending it over the network. Digest uses hashes and nonces for this purpose. A hash algorithm is a one-way function that takes an argument of an arbitrary length and produces a fixed length result, as shown in Figure 11.1. The fact that hash algorithms are one-way functions means that it is computationally infeasible to obtain the original argument from the result. Two popular hash algorithms are MD5 (specified in RFC 1321 [263]) and SHA1 (specified in RFC 3174 [127]). A nonce is a random value that is used only once. This is a short text. This text is not that short. Many would even say that it is fairly long. Hash function Hash function abd45gx534 6hbcRsQ3jP gyE4n9BawH JK3AiBxZfh Fixed length output Computationally infeasible Computationally infeasible Figure 11.1: Hash function Figure 11.2 shows how digest uses hashes and nonces. Alice sends an INVITE (1) request addressed to Bob through her outbound proxy (at domain.com). The proxy challenges the INVITE with a 407 (Proxy Authentication Required) response (2). The proxy includes a Proxy-Authenticate header field with a set of parameters. The realm parameter indicates the domain of the proxy server, so that the client knows which password to use. The qop (quality of protection) parameter indicates that the server supports integrity protection for either the request line alone (auth) or for both the request line and the message body (auth-int). The server provides the client with a random nonce in the nonce parameter. The algorithm parame ter identifies the hash fun ction (MD5, in this example). When the client receives the response it issues a new INVITE (3) with a Proxy-Authori- zation header field. The Proxy-Authorization header field contains a set of parameters. The response parameter is especially interesting. It contains a hash comprising, among other things, the username, the password, the server’s nonce, the client’s nonce (cnonce parameter), and the request line. When the auth-int qop is chosen the message body is also fed into the hash algorithm to generate the response parameter. When the server r eceives this Proxy-Authorization header field it calculates another hash value using the same input as the client, but using the shared secret the server has. If the result matches the value in the response parameter of the INVITE request the server 11.1. HTTP DIGEST ACCESS AUTHENTICATION 279 Alice (1) INVITE SIP proxy domain.com (2) 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="domain.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", algorithm=MD5 (3) INVITE Proxy-Authorization: Digest username="alice", realm="domain.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="sip:bob@domain2.com", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", algorithm=MD5 Figure 11.2: HTTP Digest Access Authentication operation considers the authentication successful and keeps on processing the INVITE. Otherwise, the server will challenge this INVITE again. The inclusion of random nonces chosen by the server in the hash prevents replay attacks. Even if an eavesdropper manages to obtain the correct hash value for a particular nonce it will not be able to access the server, since the server will challenge it with a d ifferent random nonce. 11.1.1 Security Properties of Digest HTTP Digest Access Authentication provides authentication of users and a limited degree of integrity protection (no confidentiality). Digest integrity protects the request line (i.e., method and Request-URI) and, potentially, the message body. Still, it does not integrity- protect the header fields of the message. This lack of header field protection is an important drawback, because, as we saw in previous chapters, header fields in SIP carry important information which attackers can easily manipulate if digest is used by itself. In brief, digest access authentication is vulnerable to Man-in-the-Middle (MitM) attacks. 280 CHAPTER 11. SECURITY ON THE INTERNET Regarding availability, digest offers good DoS protection. Servers issuing challenges using digest can remain stateless until the new request arrives. So, an attacker issuing a large number of requests to a server will not block any resources for a long period of time. In addition to client authentication, digest can also provide server authentication. That is, the server can prove to the client that the server knows their shared secret as well. Nevertheless, this feature is not used by SIP proxies. Digest client authentication is common because user agents acting as clients d o not typically have certificates to use more advanced and secure certificate-based authentication mechanisms. On the other hand, domain administrators typically provide their proxy servers with site certificates, which is why certificate-based proxy authentication is used instead of digest server authentication. 11.2 Certificates Certificates are key to understanding TLS and S/MIME (which are described in the following sections). A certificate is a statement about the truth of something signed by a trusted party. A passport is an example of a certificate. The government of a country certifies the identity of the passport holder. Everyone who trusts the government will be convinced of the identity of the holder. Certificates used in SIP bundle together a public key with a user (e.g., sip:Alice. Smith@domain.com), a domain (e.g., domain.com), or a host (e.g., ws1234.domain.com). Domain certificates, also known as site certificates, are used by network elements (i.e., prox- ies, redirect servers, and registrars) and are usually signed by a certification authority whose public key is well known. This way, any SIP entity that knows the public key of the certification authority can check the validity of the certificates presented by another SIP entity. Within a domain, host certificates can be used to authenticate different network nodes (e.g., two p roxies). Since building and managing a certification authority hierarchy to provide signed certificates to every user has been proven to be a difficult task for a number of reasons (technical and nontechnical), SIP allows the use of self-signed certificates: that is, certificates that are not signed by any certification authority. Section 11.4 describes how self-signed certificates are used in SIP. 11.3 TLS TLS (Transport Layer Security, specified in RFC 2246 [120]) is based on SSL (Secure Sockets Layer). SSL was designed to protect web communications and is currently implemented in most Internet browsers. TLS is more generic than SSL and can be used to protect any type of reliable connection. So, using TLS to protect SIP traffic is yet another security solution that comes from the world of the web. TLS provides data integrity and confidentiality for reliable connections (e.g., a TCP connection). It can also provide compression, although that feature is not typically used. TLS consists of two layers: namely, the TLS handshake layer and the TLS record layer. The TLS handshake layer handles the authentication of peers, using public keys and certificates, and the negotiation of the algorithm and the keys to encrypt the actual data transmission. Once a reliable connection at the transport layer is estab lished (e.g ., a TCP connection) a TLS handshake takes place. The handshake starts with an exchange of hello messages and usually takes two RTTs (Round Trip Times) to complete. During authentication 11.3. TLS 281 the server provides the client with the server’s certificates (e.g., X.509 certificates [187]) and can optionally request the client to provide its certificates as well. The server chooses the encryption algorithm to be used from among those supported by the client. The TLS handshake also allows peers to generate a so-called premaster secret (e.g., using Diffie–Hellman) and to exchange random values. The premaster secret and the random values are used b y the TLS record layer to generate the encryption key. The TLS record layer handles the encryption of the data. It typically uses a symmetric encryption algorithm whose key is generated from the values provided by the handshake layer. As we can see in Figure 11.3, when TLS is used over TCP peers need to wait for three RTTs (one for the TCP handshake and two for the TLS handshake) before exchanging secure data. Note that in Figure 11.3 we assume that the TLS Client Hello (3) is piggybacked on the TCP ACK that completes the TCP three-way handshake, although many TCP implementations send them in parallel rather than in a single datagram. Alice (1) TCP SYN SIP Proxy domain.com (2) TCP SYN (3) TCP ACK +TLS Client Hello (5) TLS Certificate, Key stuff, Certificate Verify, Change Cipher, Finished (4) TLS Server Hello, Certificate, Key stuff, Certificate request, Done (6) TLS Change cipher, Finished (7) INVITE (8) 200 OK (9) ACK Handled by the TLS handshake layer Handled by the TLS record layer Figure 11.3: TLS connection establishment 11.3.1 SIP Usage From the SIP point of view, TLS is a hop-by-hop security solution. That is, a TLS connection protects the messages exchanged between a SIP entity and the SIP entity one ho p away (e.g., a user agent and a proxy). For example, if Alice’s outbound proxy needs to send a SIP message to Bob through his p roxy server at domain2.com, Alice’s proxy will perform a DNS lookup for domain2.com. If the DNS records for domain2.com show that the proxy at domain2.com prefers to use TLS, they will exchange SIP traffic using a TLS connection; however, establishing this TLS connection is out of Alice’s control. When Alice sent the original message to her outbound proxy she did not know anything about the domain2.com DNS records. If these DNS records had said that UDP with no security was preferred over TLS, the proxies would not have used any kind of encryption. So, Alice needs a way to tell her proxy that she wants her message to be protected all of the time. That is, she wants all of the proxies in the path to exchange data using TLS while handling her request. SIP provides 282 CHAPTER 11. SECURITY ON THE INTERNET a mechanism for user agents to request this type of treatment for a request: the SIPS URI scheme. When a user agent sends a request to a SIPS URI it is requesting that every proxy in the path uses TLS to relay the request to the next proxy. Still, using SIPS URIs does not imply that the last proxy will use TLS to relay the request to the destination user agent. The last proxy is free to use whatever security mechanism it has agreed on with the user agent (e.g., a manually configured IPsec association). This is because users of a particular domain can agree on the security mechanisms to use within that domain fairly easily. On the other hand, doing so for inter-domain communications would be difficult to manage. It is better to use a default solution for this case (i.e., TLS). Of course, the use of SIPS URIs also implies that proxies route the responses to the request using TLS as well. 11.3.1.1 Client Authentication As we said earlier, TLS supports certificate-based client and server authentication. This type of authentication is used when a proxy acts as a client sending a request to another proxy that acts as a server. In any case, while proxies typically have site certificates, at present SIP User Agents do not usually have certificates. One way to provide client and server authentication without providing user agents with certificates is to use digest access authentication over TLS. The server is authenticated using certificates at the TLS handshake layer, and the user agent (the client) is authenticated using digest once the TLS connection has been established. 11.4 S/MIME SIPS URIs ensure that messages are secured hop by hop. Still, every SIP proxy handling a message with a SIPS URI has access to all of the contents of that message. Of course, proxies need to have access to some header fields (i.e., Route, Request-URI, Via,etc.),but user agents may want to exchange some information they d o not want proxies to have access to. For example, Alice and Bob may not want the proxies to be aware of which type of session (e.g., audio or video) they are establishing, or they may want to exchange cryptographic keys to exchange media traffic in a secure way. The fact that Alice and Bob trust their proxies to route messages does not mean that they want the proxies’ administrators to be able to listen to their conversation. Some type of end-to-end security is needed. SIP uses an end-to-end security solution from the email world: S/MIME. Section 4.7 described how SIP uses the Multipurpose Internet Mail Extensions (MIME) format specified in RFC 2045 [146] to encode multipart SIP bodies. S/MIME (Secure/MIME) allows us, among other things, to sign and encrypt message parts and encode them using MIME. These message parts are usually message bodies (e.g., a session description), although sometimes header fields carrying sensitive information are protected as well. The CMS (Cryptographic Message Syntax, specified in RFC 3369 [168]) is a binary format to encode, among other things, signed messages, encrypted messages, and the certificates related to those messages. (RFC 2633 [259] d escribes how to encode CMS binary objects using MIME.) Figure 11.4 shows an example of an encrypted body using S/MIME. Message bodies are encrypted using a symmetric content encryption key, which is encrypted using the public key of the recipient (symmetric encryption is much faster than public key-based encryption), as shown in Figure 11.5. The recipient decrypts the content encryption key using their private key and then decrypts the message with the content encryption key, as shown in Figure 11.6. 11.4. S/MIME 283 INVITE sip:Alice.Smith@domain.com SIP/2.0 Via: SIP/2.0/UDP ws1.domain2.com:5060;branch=z9hG4bK74gh5 Max-Forwards: 70 From: Bob <sip:Bob.Brown@domain2.com>;tag=9hx34576sl To: Alice <sip:Alice.Smith@domain.com> Call-ID: 6328776298220188511@192.0.100.2 Cseq: 1 INVITE Contact: <sip:bob@192.0.100.2> Content-Length: 197 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m; handling=required rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 0GhIGfHfQbnj756YT64V Figure 11.4: Message body encrypted using S/MIME Message Content Encryption Key Encrypted Message Recipient's Public Key Encrypted Content Encryption Key Figure 11.5: Encrypting a body using S/MIME 284 CHAPTER 11. SECURITY ON THE INTERNET Encrypted Message Encrypted Content Encryption Key Message Recipient's Private Key Content Encryption Key Figure 11.6: Decrypting a body using S/MIME Figure 11.7 shows an example of a signed body using S/MIME. Message bodies are signed with the sender’s private key. Signed message bodies usually carry the sender’s certificate. In this way the receiver obtains the sender’s public key, which should be used to check the validity of the signature. If a message body needs to be signed and encrypted the message bodies of Figures 11.4 and 11.7 can be nested. The encrypted message body can be signed or the signed message body can be encrypted. The format in Figure 11.7 works well when the recipient of the message supports S/MIME. Nevertheless, at present many user agents do not support it. Such a user agent would not be able to understand Figure 11.7, since it uses the CMS binary format. There is an alternative way to sign messages that makes them understandable for S/MIME-unaware user agents (described in RFC 1847 [147]). Figure 11.8 shows an example of this format. The message body (an SDP session description) is encoded as an independent MIME part, and the signature is encoded using the S/MIME binary format. This type of signature is referred to as a CMS-detached signature, because it is not encoded together with the message body that has been signed. Even if S/MIME-unaware implementations were able to parse the session description, they of course would not be able to verify the signature. In that case the integrity of the message cannot be verified. 11.4.1 Self-signed Certificates As explained in Section 11.2, in the absence of a certification authority S/MIME bodies can carry self-signed certificates that bundle a public key with a user. However, at first sight this seems to provide no security at all. An attacker can sign or encrypt a message with her private key and send it along with a certificate saying that her public key belongs to 11.5. AUTHENTICATED IDENTITY BODY 285 INVITE sip:Alice.Smith@domain.com SIP/2.0 Via: SIP/2.0/UDP ws1.domain2.com:5060;branch=z9hG4bK74gh5 Max-Forwards: 70 From: Bob <sip:Bob.Brown@domain2.com>;tag=9hx34576sl To: Alice <sip:Alice.Smith@domain.com> Call-ID: 6328776298220188511@192.0.100.2 Cseq: 1 INVITE Contact: <sip:bob@192.0.100.2> Content-Length: 197 Content-Type: application/pkcs7-mime; smime-type=signed-data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m; handling=required 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh 6YT64V0GhIGfHfQbnj75 Figure 11.7: Message body signed using S/MIME sip:Alice.Smith@domain.com. The recipient would be fooled by this certificate, since it does not have any means to check the validity of this certificate. Self-signed certificates need a so-called leap of faith. That is, the first time a user exchanges SIP traffic with a second user the first u ser assumes that they are not under attack. When both users exchange traffic between them at a later time they assume that the keys used the first time are the valid ones. This mechanism is also used by other protocols such as SSH (specified in the Internet-Draft “SSH Protocol Architecture” [318]). In many scenarios the leap of faith provides good security properties. Two users can exchange their self-signed certificates using a cable between their user agents, or they can establish an audio session to read aloud their public keys to each other and check whether they are the same as those received in the self-signed certificate. There are many ways to obtain another user’s public key in a secure enough manner. Users just need to choose the one they prefer in each situation. 11.5 Authenticated Identity Body We have just seen how to protect message bodies using S/MIME. In addition to message bodies, S/MIME can be used to protect header fields as well. The idea is to place a copy of the header fields to be protected in a body and to protect it using S/MIME. The Authenticated Identity Body (AIB, specified in RFC 3893 [249]) is a good example of how to use S/MIME to integrity-protect h eader fields carrying identity in formation such as From, To,andContact. The header fields that the user wants to protect are placed in a body whose Content-Type is message/sipfrag. This type of body carries fragments of SIP messages as opposed to whole SIP messages (which are carried in message/sip bodies). 286 CHAPTER 11. SECURITY ON THE INTERNET INVITE sip:Alice.Smith@domain.com SIP/2.0 Via: SIP/2.0/UDP ws1.domain2.com:5060;branch=z9hG4bK74gh5 Max-Forwards: 70 From: Bob <sip:Bob.Brown@domain2.com>;tag=9hx34576sl To: Alice <sip:Alice.Smith@domain.com> Call-ID: 6328776298220188511@192.0.100.2 Cseq: 1 INVITE Contact: <sip:bob@192.0.100.2> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="34573255067boundary" Content-Length: 709 34573255067boundary Content-Type: application/sdp Content-Disposition: session v=0 o=Alice 2790844676 2867892807 IN IP4 192.0.0.1 s=Let’s talk about swimming techniques c=IN IP4 192.0.0.1 t=0 0 m=audio 20000 RTP/AVP 0 a=sendrecv m=video 20002 RTP/AVP 31 a=sendrecv 34573255067boundary Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s; handling=required ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 34573255067boundary Figure 11.8: Message body signed using CMS-detached signatures [...]... Figure 11. 10 (some parts of the ESP trailer are encrypted and integrity-protected, while other parts are not; Figure 11. 12 clarifies this point further) The ESP header contains the SPI, the sequence number of the packet, and the initialization vector for the encryption algorithm The ESP trailer contains optional padding in case it is required by the encryption algorithm and data related to authentication... ;tag=9hx34576sl CHAPTER 11 SECURITY ON THE INTERNET 292 11. 8 Encrypting Media Streams In addition to securing SIP messages, users are often interested in securing the media that they exchange For example, they may want to have confidential conversations or to be sure that no one is modifying the contents of their instant messages In a single session there can be several media streams with different security. .. and the IPsec DOI (Domain of Interpretation, specified in RFC 2407 [252]) document defines which attributes need to be negotiated in an IPsec security association The establishment of an IPsec security association consists of two steps In the first step, peers establish a security association to run IKE on it In the second step, peers use this security association to securely agree on the parameters of the. .. route the request further 11. 6 IPsec IPsec (whose architecture is specified in RFC 2401 [200]) provides confidentiality and integrity protection at the network layer Nodes that want to exchange secure IPsec-protected traffic between them set up a so-called security association A security association is identified by the addresses of the nodes and by its SPI (Security Parameters Index), and it contains the security. .. the common RTP/AVP (Real-Time Transport Protocol/Audio and Video Profile) we have seen so far in session descriptions RTP/SAVP identifies the SRTP (Secure RTP) protocol, which is described in Section 16.2.4 m=audio 20000 RTP/SAVP 0 a=key-mgmt:mikey Figure 11. 15: Key management information in SDP 11. 8.1 MIKEY The key management protocol that appears in the session... provide identity protection, and offers less negotiation power 11. 6.3.2 IPsec Security Association Establishment IPsec security associations are established using the so-called quick mode The quick mode uses an IKE security association and consists of three messages After this exchange, peers are ready to exchange traffic using the IPsec security association they just established 11. 7 Privacy Users sometimes... anonymous to the rest of the network SIP User Agents can request different types of privacy from a proxy by using a Privacy header field (as described in RFC 3323 [247]) The proxy typically authenticates the user and then encrypts, removes, or simply changes the contents of the header fields with personal information about the user The proxy can also insert an AIB (as described in Section 11. 5), confirming... parameters of the IPsec security association that will carry the actual data traffic 11. 6.3.1 IKE Security Association Establishment There are two modes to establish the IKE security association: the main mode and the aggressive mode The main mode consists of six messages (i.e., three RTTs) and allows peers to hide their identities from potential attackers The aggressive mode only uses three messages,... a=rtpmap:0 PCMU/8000 unique-boundary-1 Content-Type: multipart/signed; boundary=boundary2 protocol="application/pkcs7-signature"; micalg=sha1; Content-Length: 696 boundary2 Content-Type: message/sipfrag Content-Disposition: aib; handling=optional From: Bob To: Alice Call-ID: 6328776298220188 511@ 192.0.100.2 Cseq: 1 INVITE Contact: ... requirements One media stream may have to be encrypted while another may only need to be integrityprotected Therefore, the natural place to introduce media security is in the session description, rather than in the SIP header fields (which would apply to the whole session) The key management extensions for SDP (specified in RFC 4567 [78]) are encoded as SDP attributes (a= lines) An additional attribute . <sip:bob@192.0.100.2> Content-Length: 197 Content-Type: application/pkcs7-mime; smime-type=signed-data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m; handling=required 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh 6YT64V0GhIGfHfQbnj75 Figure. not; Figure 11. 12 clarifies this point further). The ESP header contains the SPI, the sequence number of the packet, and the initialization vector fo r the encryption algo rithm. The ESP trailer contains. another hash value using the same input as the client, but using the shared secret the server has. If the result matches the value in the response parameter of the INVITE request the server 11. 1.